cTLD and DNS upgrade

Brad Knowles brad at stop.mail-abuse.org
Tue Jul 5 08:20:49 UTC 2005


At 9:58 AM +0200 2005-07-05, Peter Dambier wrote:

>  I have learned from cache poisoned resolvers it makes sense to
>  mirror all zones you can even on the resolver. I have seen many
>  ISP resolvers that do mirror the most important zones.
>
>  First it will prevent you from cache poisoning.

	I'm not convinced of that.  It may avoid certain failure modes, 
but I sincerely doubt that it will catch all of them.

	What tests have you done to prove that all known failure modes 
are covered by this solution?

>  Vixies company does a commercial version of Bind that is split into
>  two programmes, the resolver and the nameserver.

	Vixie's company?  You mean Nominum?  He may have helped to found 
the company, but everything I've heard from various people who've 
worked there indicate that he hasn't had any material involvement in 
it for a very long time.

	Yes, Nominum does have the very best caching and 
authoritative-only servers that I've ever seen.  Unfortunately, 
they're pretty expensive.


	Note that PowerDNS also splits the caching/recursive functions 
from the authoritative side, as do just about all the other programs 
available that I am aware of.

	Paul Vixie himself has said that he wishes that this was 
something that could be changed about BIND, as he views the combined 
services in one program to be a significant security weakness.  I 
disagree with him, but I do agree that the default configurations 
should separate these functions.

	Note that I have said these functions should be split ever since 
doing the technical review for the 2nd edition of _DNS and BIND_, 
advice which Cricket Liu unfortunately chose not to accept (or maybe 
it just got lost through the cracks).  And I'm sure that I wasn't the 
first to come up with this idea, although alternatives to BIND at 
that point were pretty thin on the ground.

-- 
Brad Knowles, <brad at stop.mail-abuse.org>

"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."

     -- Benjamin Franklin (1706-1790), reply of the Pennsylvania
     Assembly to the Governor, November 11, 1755

   SAGE member since 1995.  See <http://www.sage.org/> for more info.



More information about the bind-users mailing list